418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424 | Triage

Analysis

max time kernel
35s
max time network
45s
platform
windows10_x64
resource
win10v20210408
submitted
31-05-2021 04:01

Sharing

Report Analysis Logs

General

Target

FC1A502103DBFF4E6054210D55FA670F.exe
Size

8KB
MD5

fc1a502103dbff4e6054210d55fa670f
SHA1

2e710dc3374c329f20d52efd119338adbda27b53
SHA256

418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
SHA512

a0c6a5512ec43699ac58383fe10ef4c3deac3038bc626837ea63aef2a2f9cfe9bff65419b51e484fe4d83f8dbc460fcd1558c322ae7d909a0518069d3d64ae91

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3364	3728	WerFault.exe	48

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe
3364	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	FC1A502103DBFF4E6054210D55FA670F.exe
Token: SeDebugPrivilege	3364	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\FC1A502103DBFF4E6054210D55FA670F.exe
"C:\Users\Admin\AppData\Local\Temp\FC1A502103DBFF4E6054210D55FA670F.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3728 -s 1308
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3728-114-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3728-116-0x000000001B350000-0x000000001B352000-memory.dmp

Filesize
8KB

Download